Invoke-RestMethod with -usedefaultcredentials will execute API and ignore Roles security

PowerShell Universal
1

Hello, I am on the latest PSU version and I am noticing odd behaviour when I run my Invoke-RestMethod with the -UseDefaultCredentials switch in that it will execute the API endpoint for any user. That’s users that are not even assigned to the Role that has been granted. When an API is called this way I don’t see the Roles.ps1 being executed at the backend. To work around the problem I created an Identity in PSU and assigned the identity to a Role. I then granted this Identity a token and assigned only this Role to the API. In the API code is a check that it is this identity and if not the code exits. Have I set it up incorrectly or is the workaround the only viable way to circumvent this issue? Cheers Carl.

Product: PowerShell Universal
Version: 2.7.3
1 Like
2

I can reproduce this. Being a security issue, we’ll get a build out today to resolve this.

2 Likes
3

Hi @adam, thanks for the quick resolution.
Can you confirm this issue isn’t present in version 1.5.21?

4

It is not. Here’s the details that include the affected versions: Security Notice: PowerShell Universal Authorization Bypass

5

Ok thank you.

6

Adam - does 2.7.4 include the patched LiteDB DLL for Azure?

7

No. You’ll need the latest 2.8 nightly to get both the LiteDB fix as well as this one.

1 Like